Attribute-Based Encryption. Allison Lewko, Microsoft Research

Size: px
Start display at page:

Download "Attribute-Based Encryption. Allison Lewko, Microsoft Research"

Transcription

1 Attribute-Based Encryption Allison Lewko, Microsoft Research

2 The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by: Melissa Chase, Dan Boneh, Matt Franklin, Ran Canetti, Shai Halevi, Jon Katz, Xavier Boyen, Sanjam Garg, Craig Gentry, Tatsuaki Okamoto Katsuyuki Takashima

3 Motivation Who should access this data?

4 ABE [SW05, GPSW06] Describe authorized users with attributes : AND OR certified doctor EMT

5 Key-Policy ABE Specification = security parameter U = attribute universe Setup(, U): generate public parameters PP and master key MSK KeyGen(Policy, MSK): generate a user key for a given policy Encrypt(PP, M, S µ U): encrypt message M under attribute set S Decrypt(CT, SK): decrypt ciphertext using a key

6 Security Threat: Collusion Example: encrypt a job posting: AND Masters Degree > 2 years experience Security Threat:

7 Key-Policy ABE Security Definition IND-CPA game: PP, MSK Challenger PP Policy f SK f M 0, M 1, S Encrypt(PP, M b, S) Repeat b? Attacker b Policy f SK f Repeat

8 Construction Tools Linear Secret Sharing: OR secret AND z -z OR v A z z -z -z AND C B D z-v B Only authorized set of shares allows reconstruction of

9 Construction Tools Independent randomness

10 Basic KP-ABE Construction [GPSW06]

11 Stepping through Decryption divide

12 High Level View of Scheme AND blinding factor A OR B C Chain Reaction C in CT A in CT

13 Main Features of the Construction Conceptual Checklist: 1. How are we encoding the access formula? with a linear secret sharing scheme 2. How are we tying shares to attributes? multiplying by the H i elements raised to random exponents 3. How are we enforcing presence of attributes in the ciphertext? the need to cancel the H i contributions 4. How are we preventing collusion? injecting personalized randomness during sharing

14 Proof Challenges Hard Problem Simulator Attacker Simulator must balance two competing goals: answer attacker queries leverage attacker success

15 Partitioning Proofs [BF01,CHK03,BB04, ] Space of formulas for keys: = key simulator can make = key simulator can t make

16 Problem: Why Should the Attacker Two Approaches: Respect the Partition? 1. Make Attacker Commit (weaker) selective security Too costly for ABE 2. Guess and quit when wrong HA!

17 Proof of Selective Security [GPSW06] Simulator Attacker

18 How the Simulator Should Work?

19 Simulating Keys

20 Strategic Sharing z OR AND z OR Shares for challenge attributes known to simulator z A z AND B C z z z B D Challenge set

21 Cancelations

22 Straightline Simulation Recap

23 Why did we need selective security?

24 Looking Ahead What we ve shown: Selectively secure Key-Policy ABE for formulas What else might we want? Full security Ciphertext-Policy ABE for formulas ABE for circuits Hiding policies Decentralized authorities

25 Ciphertext-Policy ABE Specification = security parameter U = attribute universe Setup(, U): generate public parameters PP and master key MSK KeyGen(S µ U, MSK): generate a user key for an attribute set S Encrypt(PP, M, Policy): encrypt message M under the given policy Decrypt(CT, SK): decrypt ciphertext using a key

26 Constructing CP-ABE for formulas Intuition: switch SK and CT from KP-ABE construction Before:

27 Adding a Layer of Indirection

28 Proving Selective Security? Selective security for KP-ABE: Set S Size(PP) > size(s) PP encodes S Simulator PP Selective security for CP-ABE: formula f PP How can PP encode f?

29 One Approach [e.g. G06, W11] To fit a big formula into small PP: Use a big assumption!

30 Moving Beyond Selective Security Dual System Encryption [W09,LW10] Main goal: Simulator prepared to make any key, use any ciphertext How can this be possible? Consider joint distribution of key and ciphertext Maybe simulator can sample from alternate distribution and fool attacker on subset of allowable pairs

31 Dual System Encryption 2 distributions of keys, 2 distributions of ciphertexts: Used in real system Normal Semi-Functional Normal Semi-Functional (with high probability)

32 Overview of a Dual System Encryption Proof Real Hybrid Security Argument: Game: Hardest step! Not Compatible! Incompatiblity of key/ct Decryption failure M b High probability decryption failure Message independent CT Regardless of Compability!

33 The Critical Step Instance T? Hard Problem Simulator Attacker? Simulator cannot know nature of key!

34 Nominal Semi-Functionality [LW10]? Correlation! Decryption always succeeds Simulator

35 How is Correlation Hidden? Public Parameters PP V PP - random variable Internal View V - has some entropy Simulator Attacker

36 Conceptualizing Semi-functional Space Decompose: Semi-functional Space Semi-functional component S.F. components mirror the structure of normal components, but have their own S.F. params Normal Component Separated from PP Public Parameters Normal Space

37 Convenient Setting: Composite Order Bilinear Groups

38 Computational Assumptions Example: Subgroup Decision Problems

39 KP-ABE Construction: Dual System Version (*Slightly simplified) Shares of random

40 Decrypting S.F. Ciphertext with S.F. Key

41 Executing the Dual System Proof

42 Executing the Dual System Proof

43 The Bait and Switch But Wait!!! We were supposed to be sharing something random in S.F. space, not 0!

44 Finishing the Dual System Proof

45 Many Keys and Reusing Parameters How do we make sure the shared value in the S.F. space is hidden? We rely on attributes not appearing in the CT We use the third subgroup for a hybrid over keys (skipping details) We impose limit on reuses of attributes per key

46 Summary of Dual System Proof Semi-functional space shadows normal space Entropy from unpublished S.F. parameters can hide correlation Subgroup decision assumptions can move objects in and out of S.F. space

47 Dual System in Prime Order Groups [e.g. OT10, L12, LW12]

48 Other Improvements and Extensions Multiple authorities [C07, LW11a, OT12a] Enables decentralizing functionality and trust Large universe constructions [GPSW06, LW11b,OT12b] Attribute universe size is exponential Full security without restricting reuse of parameters [LW12] New understanding of relationship between selective security techniques and dual system

49 Alternate View of Dual System Encryption [LW12] Viewing the security game in S.F. space: PP in S.F. Space Public Params Policy f Simulator gets some info before setting params: opportunity to adapt prior selective techniques! Repeat Challenger M 0, M 1, attributes Enc(M b, PP, attributes) Policy f Repeat Attacker

50 Breaking News Updates Brought to you by lattice-based cryptographers:

51 ABE for Circuits from Multi-Linear Maps [SW12]

Fully Secure Anonymous HIBE with Short Ciphertexts

Fully Secure Anonymous HIBE with Short Ciphertexts Fully Secure Anonymous HIBE with Short Ciphertexts Angelo De Caro Vincenzo Iovino Giuseppe Persiano Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. {decaro,iovino,giuper}@dia.unisa.it

More information

Notes for Lecture 14

Notes for Lecture 14 COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e

More information

Attribute-based encryption with encryption and decryption outsourcing

Attribute-based encryption with encryption and decryption outsourcing Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing

More information

A Punctured Programming Approach to Adaptively Secure Functional Encryption

A Punctured Programming Approach to Adaptively Secure Functional Encryption A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively

More information

Keywords: Multi-authority attribute based encryption, key policy, ciphertext policy, central authority free

Keywords: Multi-authority attribute based encryption, key policy, ciphertext policy, central authority free Computing and Informatics, Vol. 35, 2016, 128 142 SIMPLE MULTI-AUTHORITY ATTRIBUTE-BASED ENCRYPTION FOR SHORT MESSAGES Viktória I. Villányi Department of Operations Research ELTECRYPT Research Group Eötvös

More information

Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018

Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f

More information

Implementing Fully Key-Homomorphic Encryption in Haskell. Maurice Shih CS 240h

Implementing Fully Key-Homomorphic Encryption in Haskell. Maurice Shih CS 240h Implementing Fully Key-Homomorphic Encryption in Haskell Maurice Shih CS 240h Abstract Lattice based encryption schemes have many desirable properties. These include uantum and classic computer attack

More information

Key-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps

Key-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps Key-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps Ferucio Laurenţiu Ţiplea and Constantin Cătălin Drăgan Department of Computer Science Al.I.Cuza University of Iaşi Iaşi 700506,

More information

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems. A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems. G Swetha M.Tech Student Dr.N.Chandra Sekhar Reddy Professor & HoD U V N Rajesh Assistant Professor Abstract Cryptography

More information

Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing

Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications

More information

Tools for Computing on Encrypted Data

Tools for Computing on Encrypted Data Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:

More information

Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy

Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive

More information

A Key-Policy Attribute-based Encryption Scheme for General Circuit from Bilinear Maps

A Key-Policy Attribute-based Encryption Scheme for General Circuit from Bilinear Maps International Journal of Network Security, Vol.19, No.5, PP.704-710, Sept. 2017 (DOI: 10.6633/IJNS.201709.19(5).07) 704 A Key-Policy Attribute-based Encryption Scheme for General Circuit from Bilinear

More information

DECENTRALIZED ATTRIBUTE-BASED ENCRYPTION AND DATA SHARING SCHEME IN CLOUD STORAGE

DECENTRALIZED ATTRIBUTE-BASED ENCRYPTION AND DATA SHARING SCHEME IN CLOUD STORAGE DECENTRALIZED ATTRIBUTE-BASED ENCRYPTION AND DATA SHARING SCHEME IN CLOUD STORAGE ABSTRACT We propose a Multi-Authority Attribute-Based Encryption (ABE) system. In our system, any party can become an authority

More information

Better 2-round adaptive MPC

Better 2-round adaptive MPC Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively

More information

Security of Identity Based Encryption - A Different Perspective

Security of Identity Based Encryption - A Different Perspective Security of Identity Based Encryption - A Different Perspective Priyanka Bose and Dipanjan Das priyanka@cs.ucsb.edu,dipanjan@cs.ucsb.edu Department of Computer Science University of California Santa Barbara

More information

Space-Efficient Identity-Based Encryption: Spelling out the Approach by Boneh-Gentry-Hamburg

Space-Efficient Identity-Based Encryption: Spelling out the Approach by Boneh-Gentry-Hamburg Anais do IX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais 279 Space-Efficient Identity-Based Encryption: Spelling out the Approach by Boneh-Gentry-Hamburg Patrícia Lustosa

More information

Collusion-Resistant Group Key Management Using Attributebased

Collusion-Resistant Group Key Management Using Attributebased Collusion-Resistant Group Key Management Using Attributebased Encryption Presented by: Anurodh Joshi Overview of the Paper Presents a ciphertext-policy attribute-based encryption (CP-ABE) scheme to solve

More information

Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption

Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption Amit Sahai 1, Hakan Seyalioglu 2, and Brent Waters 3 1 Department of Computer Science, UCLA 2 Department of Mathematics, UCLA

More information

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing Presented By: Arinjita Paul Authors: S. Sharmila Deva Selvi, Arinjita Paul, C. Pandu Rangan TCS Lab, Department of CSE, IIT Madras.

More information

DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems

DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems 1790 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 8, NO. 11, NOVEMBER 2013 DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems Kan Yang, Associate Member,

More information

IND-CCA2 secure cryptosystems, Dan Bogdanov

IND-CCA2 secure cryptosystems, Dan Bogdanov MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results

More information

Functional Encryption and its Impact on Cryptography

Functional Encryption and its Impact on Cryptography Functional Encryption and its Impact on Cryptography Hoeteck Wee ENS, Paris, France Abstract. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control

More information

Introduction to Security Reduction

Introduction to Security Reduction springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount

More information

Secure Data Sharing in Cloud Computing: Challenges and Research Directions

Secure Data Sharing in Cloud Computing: Challenges and Research Directions Cyber Summer School Melbourne, 12-13 Feb 2018 Secure Data Sharing in Cloud Computing: Challenges and Research Directions Willy Susilo Institute of Cybersecurity and Cryptology School of Computing and Information

More information

Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs

Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Michael Clear and Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin {clearm, Ciaran.McGoldrick}@scss.tcd.ie

More information

Lecture 15: Public Key Encryption: I

Lecture 15: Public Key Encryption: I CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used

More information

On the Security of a Certificateless Public-Key Encryption

On the Security of a Certificateless Public-Key Encryption On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,

More information

A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE

A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275,

More information

Multi-authority attribute based encryption with honest-but-curious central authority

Multi-authority attribute based encryption with honest-but-curious central authority Proceedings of the 10th International Conference on Computational and Mathematical Methods in Science and Engineering, CMMSE 2010 27 30 June 2010. Multi-authority attribute based encryption with honest-but-curious

More information

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS

STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS STRONGER SECURITY NOTIONS FOR DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES AND MORE EFFICIENT CONSTRUCTIONS Essam Ghadafi University College London e.ghadafi@ucl.ac.uk CT-RSA 2015 STRONGER SECURITY

More information

The Relation and Transformation between Hierarchical Inner Product Encryption and Spatial Encryption

The Relation and Transformation between Hierarchical Inner Product Encryption and Spatial Encryption The Relation and Transformation between Hierarchical Inner Product Encryption and Spatial Encryption Jie Chen, Hoon Wei Lim, San Ling, and Huaxiong Wang Nanyang Technological University, Singapore s080001@e.ntu.edu.sg

More information

Relations between Semantic Security and Anonymity in Identity Based Encryption

Relations between Semantic Security and Anonymity in Identity Based Encryption Relations between Semantic Security and Anonymity in Identity Based Encryption Javier Herranz 1, Fabien Laguillaumie 2, and Carla Ràfols 1 1 Dept. Matemàtica Aplicada IV, Universitat Politècnica de Catalunya,

More information

Inter-domain Identity-based Proxy Re-encryption

Inter-domain Identity-based Proxy Re-encryption Inter-domain Identity-based Proxy Re-encryption Qiang Tang, Pieter Hartel, Willem Jonker Faculty of EWI, University of Twente, the Netherlands {q.tang, pieter.hartel, jonker}@utwente.nl August 19, 2008

More information

Efficient Round Optimal Blind Signatures

Efficient Round Optimal Blind Signatures Efficient Round Optimal Blind Signatures Sanjam Garg IBM T.J. Watson Divya Gupta UCLA Complexity Leveraging Highly theoretical tool Used to obtain feasibility results Gives inefficient constructions Is

More information

Application to More Efficient Obfuscation

Application to More Efficient Obfuscation Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)

More information

A Procedural Based Encryption Technique for Accessing Data on Cloud

A Procedural Based Encryption Technique for Accessing Data on Cloud A Procedural Based Encryption Technique for Accessing Data on Cloud Avinash N 1, Divya C 2 P.G. Student, Department of Computer Science and Engineering, SVIT, Bangalore, Karnataka, India 1 Assistant Professor,

More information

The Relation and Transformation between Hierarchical Inner Product Encryption and Spatial Encryption

The Relation and Transformation between Hierarchical Inner Product Encryption and Spatial Encryption Noname manuscript No. (will be inserted by the editor) The Relation and Transformation between Hierarchical Inner Product Encryption and Spatial Encryption Jie Chen Hoon Wei Lim San Ling Huaxiong Wang

More information

Secure Multiparty Computation

Secure Multiparty Computation CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation

More information

Homomorphic encryption (whiteboard)

Homomorphic encryption (whiteboard) Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs

More information

Somewhat Homomorphic Encryption

Somewhat Homomorphic Encryption Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing

More information

Matrix Access structure Policy used in Attribute-Based Proxy Re-encryption

Matrix Access structure Policy used in Attribute-Based Proxy Re-encryption Matrix Access structure Policy used in Attribute-Based Proxy Re-encryption Keying Li Faculty of science, Xidian University, Xi'an 710071, China Abstract Proxy re-encryption (PRE) allows a semi-trusted

More information

Bounded Ciphertext Policy Attribute Based Encryption

Bounded Ciphertext Policy Attribute Based Encryption Bounded Ciphertext Policy Attribute Based Encryption Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai Department of Computer Science, UCLA {vipul,abhishek,omkant,sahai}@cs.ucla.edu Abstract. In

More information

Online/Offline Attribute-Based Encryption

Online/Offline Attribute-Based Encryption Online/Offline Attribute-Based Encryption Susan Hohenberger 1 and Brent Waters 2 Johns Hopkins University and University of Texas at Austin Abstract. Attribute-based encryption (ABE) is a type of public

More information

Achieving Leakage Resilience through Dual System Encryption

Achieving Leakage Resilience through Dual System Encryption Achieving Leakage Resilience through Dual System Encryption Allison Lewko, Yannis Rouselakis, and Brent Waters The University of Texas at Austin {alewko,jrous,bwaters}@cs.utexas.edu Abstract. In this work,

More information

An Efficient Verifiable Multi-Authority Secret Access control scheme in Cloud Storage M.Sreelakshmi & P.Gangadhara

An Efficient Verifiable Multi-Authority Secret Access control scheme in Cloud Storage M.Sreelakshmi & P.Gangadhara An Efficient Verifiable Multi-Authority Secret Access control scheme in Cloud Storage M.Sreelakshmi & P.Gangadhara 1 M.Tech, Dept of CSE,Shri Shirdi Sai Institute of Science and Engineering, Affiliated

More information

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic

More information

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

CSC 5930/9010 Modern Cryptography: Public Key Cryptography CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract

More information

Notes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange

Notes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public

More information

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History

More information

Predicate Encryption for Circuits from LWE

Predicate Encryption for Circuits from LWE Predicate Encryption for Circuits from LWE Sergey Gorbunov 1, Vinod Vaikuntanathan 1, and Hoeteck Wee 2 1 MIT 2 ENS Abstract. In predicate encryption, a ciphertext is associated with descriptive attribute

More information

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme

Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,

More information

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Sam Kim Stanford University Joint work with Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Peter M. R. Rasmussen, and Amit

More information

Efficient Multi-receiver identity-based encryption and its application to broadcast encryption

Efficient Multi-receiver identity-based encryption and its application to broadcast encryption University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2005 Efficient Multi-receiver identity-based encryption and its application

More information

Bounded-Collusion IBE from Key Homomorphism

Bounded-Collusion IBE from Key Homomorphism Bounded-Collusion IBE from Key Homomorphism Shafi Goldwasser 1, Allison Lewko 2, and David A. Wilson 3 1 MIT CSAIL and Weizmann Institute shafi@csail.mit.edu 2 UT Austin alewko@cs.utexas.edu 3 MIT CSAIL

More information

ISA 562: Information Security, Theory and Practice. Lecture 1

ISA 562: Information Security, Theory and Practice. Lecture 1 ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key

More information

PROGRAM obfuscation is the process of making it unintelligible

PROGRAM obfuscation is the process of making it unintelligible INTL JOURNAL OF ELECTRONICS AND TELECOMMUNICATIONS, 2018, VOL. 64, NO. 2, PP. 173 178 Manuscript received January 24, 2018; revised March, 2018. DOI: 10.24425/119366 Block Cipher Based Public Key Encryption

More information

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems

More information

Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13

Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13 Security Weaknesses of an Anonymous Attribute Based Encryption appeared in ASIACCS 13 Payal Chaudhari, Manik Lal Das, Anish Mathuria DA-IICT, Gandhinagar, India {payal chaudhari, maniklal das, anish mathuria}@daiict.ac.in

More information

Cryptography [Symmetric Encryption]

Cryptography [Symmetric Encryption] CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7 Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing

More information

Attribute Based Encryption for Multiples Authorities Using Shamir's Secret Sharing Algorithm

Attribute Based Encryption for Multiples Authorities Using Shamir's Secret Sharing Algorithm International Journal of Computer Science and Software Engineering Volume 1, Number 1 (2015), pp. 1-8 International Research Publication House http://www.irphouse.com Attribute Based Encryption for Multiples

More information

Definitions and Notations

Definitions and Notations Chapter 2 Definitions and Notations In this chapter, we present definitions and notation. We start with the definition of public key encryption schemes and their security models. This forms the basis of

More information

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA

More information

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways

More information

Collusion-Resistant Identity-based Proxy Re-encryption

Collusion-Resistant Identity-based Proxy Re-encryption Collusion-Resistant Identity-based Proxy Re-encryption Woo Kwon Koo 1, Jung Yeon Hwang 2, and Dong Hoon Lee 1,* 1 Graduate School of Information Security, Korea University, Seoul, Korea 2 Electronics and

More information

Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme

Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme 2014 Tenth 10th International Conference on Computational Intelligence and Security Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme Changji Wang, Haitao

More information

Attribute-Sets: A Practically Motivated Enhancement to Attribute-Based Encryption

Attribute-Sets: A Practically Motivated Enhancement to Attribute-Based Encryption Attribute-Sets: A Practically Motivated Enhancement to Attribute-Based Encryption Rakesh Bobba, Himanshu Khurana and Manoj Prabhakaran University of Illinois, Urbana-Champaign IL USA, {rbobba,hkhurana,mmp}@illinois.edu

More information

Multi-Channel Broadcast Encryption

Multi-Channel Broadcast Encryption This extended abstract appeared in Proceedings of the 2013 ACM Symposium on Information, computer and communications security (AsiaCCS âăź13 (May 7 10, 2013, Hangzhou, China, pages??????, ACM Press, New

More information

Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition

Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1 2 Puncture! 3 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos,

More information

information Black Box Traceable Ciphertext Policy Attribute-Based Encryption Scheme Information 2015, 6, ; doi:10.

information Black Box Traceable Ciphertext Policy Attribute-Based Encryption Scheme Information 2015, 6, ; doi:10. Information 2015, 6, 481-493; doi:10.3390/info6030481 OPEN ACCESS information ISSN 2078-2489 www.mdpi.com/journal/information Article Black Box Traceable Ciphertext Policy Attribute-Based Encryption Scheme

More information

On the Security of Group-based Proxy Re-encryption Scheme

On the Security of Group-based Proxy Re-encryption Scheme On the Security of Group-based Proxy Re-encryption Scheme Purushothama B R 1, B B Amberker Department of Computer Science and Engineering National Institute of Technology Warangal Warangal, Andhra Pradesh-506004,

More information

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look

More information

DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES

DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol, 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA

More information

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7 Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing

More information

Direct Chosen Ciphertext Security from Identity-Based Techniques

Direct Chosen Ciphertext Security from Identity-Based Techniques Updated version of a paper published in the proceedings of the 12th ACM Conference on Computer and Communications Security CCS 2005, Alexandria, VA, November 2005. Current version available from the IACR

More information

DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems

DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems Kan Yang, Xiaohua Jia, Kui Ren Department of Computer Science, City University of Hong Kong, Email: kanyang3@student.cityu.edu.hk

More information

Public Key Broadcast Encryption

Public Key Broadcast Encryption Public Key Broadcast Encryption Leyou Zhang Centre for Computer and Information Security University of Wollongong Australia 1 Nature Science Foundation(NSF) of China: Public key Broadcast Encryption(BE)(Finished,2010-2012)

More information

Upgrading to Functional Encryption

Upgrading to Functional Encryption Upgrading to Functional Encryption Saikrishna Badrinarayanan Dakshita Khurana Amit Sahai Brent Waters Abstract The notion of Functional Encryption (FE) has recently emerged as a strong primitive with several

More information

HIGH LEVEL SECURITY IMPLEMENTATION IN DATA SHARING ON SOCIAL WEBSITES

HIGH LEVEL SECURITY IMPLEMENTATION IN DATA SHARING ON SOCIAL WEBSITES HIGH LEVEL SECURITY IMPLEMENTATION IN DATA SHARING ON SOCIAL WEBSITES P.Senthil Kumar 1 Associate professor, PSNA college of engineering and technology,dindigul,tamilnadu,india Abstract: With the recent

More information

Privacy, Discovery, and Authentication for the Internet of Things

Privacy, Discovery, and Authentication for the Internet of Things Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of

More information

Reducing Trust in the PKG in Identity Based Cryptosystems

Reducing Trust in the PKG in Identity Based Cryptosystems Reducing Trust in the PKG in Identity Based Cryptosystems Vipul Goyal Department of Computer Science University of California, Los Angeles vipul@cs.ucla.edu Abstract One day, you suddenly find that a private

More information

Exponent Properties: The Product Rule. 2. Exponential expressions multiplied with each other that have the same base.

Exponent Properties: The Product Rule. 2. Exponential expressions multiplied with each other that have the same base. Exponent Properties: The Product Rule 1. What is the difference between 3x and x 3? Explain in complete sentences and with examples. 2. Exponential expressions multiplied with each other that have the

More information

Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017

Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang

More information

1 One-Time Pad. 1.1 One-Time Pad Definition

1 One-Time Pad. 1.1 One-Time Pad Definition 1 One-Time Pad Secure communication is the act of conveying information from a sender to a receiver, while simultaneously hiding it from everyone else Secure communication is the oldest application of

More information

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter Baodong Qin and Shengli Liu Shanghai Jiao Tong University ASIACRYPT 2013 Dec 5, Bangalore,

More information

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption Dan Boneh 1 and Jonathan Katz 2 1 Computer Science Department, Stanford University, Stanford CA 94305 dabo@cs.stanford.edu

More information

An Encryption Scheme for a Secure Policy Updating

An Encryption Scheme for a Secure Policy Updating An Encryption Scheme for a Secure Policy Updating Luan Ibraimi Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, The Netherlands ibraimi@ewi.utwente.nl Muhammad

More information

Attribute-Sets: A Practically Motivated Enhancement to Attribute-Based Encryption

Attribute-Sets: A Practically Motivated Enhancement to Attribute-Based Encryption Attribute-Sets: A Practically Motivated Enhancement to Attribute-Based Encryption Rakesh Bobba, Himanshu Khurana and Manoj Prabhakaran University of Illinois at Urbana-Champaign {rbobba,hkhurana,mmp}@illinois.edu

More information

Mediated Ciphertext-Policy Attribute-Based Encryption and its Application

Mediated Ciphertext-Policy Attribute-Based Encryption and its Application Mediated Ciphertext-Policy Attribute-Based Encryption and its Application Luan Ibraimi 1,2, Milan Petkovic 2, Svetla Nikova 1, Pieter Hartel 1, Willem Jonker 1,2 1 Faculty of EEMCS, University of Twente,

More information

Private Database Queries Using Somewhat Homomorphic Encryption. Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu

Private Database Queries Using Somewhat Homomorphic Encryption. Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu Private Database Queries Using Somewhat Homomorphic Encryption Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, David J. Wu ACNS 2013 Fully Private Conjunctive Database Queries user SELECT * FROM db WHERE

More information

Structure-Preserving Certificateless Encryption and Its Application

Structure-Preserving Certificateless Encryption and Its Application SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow

More information

1 Achieving IND-CPA security

1 Achieving IND-CPA security ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces

More information

Multi-Theorem Preprocessing NIZKs from Lattices

Multi-Theorem Preprocessing NIZKs from Lattices Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems

More information

Advanced Topics in Cryptography

Advanced Topics in Cryptography Advanced Topics in Cryptography Lecture 9: Identity based encryption (IBE), Cocks scheme. Benny Pinkas page 1 1 Related papers Lecture notes from MIT http://crypto.csail.mit.edu/classes/6.876/lecture-notes.html

More information

Certificateless Onion Routing

Certificateless Onion Routing Certificateless Onion Routing Dario Catalano Dipartimento di Matematica e Informatica Università di Catania - Italy catalano@dmi.unict.it Dario Fiore Dipartimento di Matematica e Informatica Università

More information

Multi-authority attribute based encryption with honest-but-curious central authority

Multi-authority attribute based encryption with honest-but-curious central authority Multi-authority attribute based encryption with honest-but-curious central authority Vladimir Božović 1, Daniel Socek 2, Rainer Steinwandt 1, and Viktória I. Villányi 1 1 Department of Mathematical Sciences,

More information

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator EXAMINATION ( Mid Semester ) SEMESTER ( Spring ) Roll Number Section Name Subject Number C S 6 0 0 8 8 Subject Name Foundations

More information

Identity-based Encryption with Efficient Revocation

Identity-based Encryption with Efficient Revocation Identity-based Encryption with Efficient Revocation Alexandra Boldyreva School of Computer Science Georgia Institute of Technology Atlanta, GA aboldyre@cc.gatech.edu Vipul Goyal Dept. of Computer Science

More information

Military Secured Network Data Transmission

Military Secured Network Data Transmission Military Secured Network Data Transmission Shubham Jain 1, Umesh Dusane 2, Smita Lokhande 3, Vinod Kadam 4, Asst. Prof. Neha Jamdar 5 1University of Pune, Sinhgad Institute of Technology and Science, jains7272@gmail.com

More information